From mboxrd@z Thu Jan 1 00:00:00 1970 From: Christian Brauner Subject: Re: [PATCH 1/2] pid: add pidfd_open() Date: Thu, 16 May 2019 16:05:08 +0200 Message-ID: <20190516140507.75crjbaulasw6mj6@brauner.io> References: <20190515100400.3450-1-christian@brauner.io> <20190516130813.i66ujfzftbgpqhnh@brauner.io> Mime-Version: 1.0 Return-path: DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=brauner.io; s=google; h=date:from:to:cc:subject:message-id:references:mime-version :content-disposition:in-reply-to:user-agent; bh=bYyJnADr9ubhW5oaXdh9WlhTHjyzAGu0DQI2eQ+pHaE=; b=MhjOHc+12NO1kjqTg26hcfpFarWJK6UO4uKen3mnBZiVvgNz65ljzXS/ZRyK+jjEzc /JF15wWLnH7LRgIqtY0MD+nIanFGFyFhIksGgTJWi2bGoTMD18BMjjca67gxxRvxi8+0 yQTTRxRIh7g2VDxBQ0zKZz1vXg1chuW2SN2qbepgb4FeuGMxhGooqxVI7+7FHAOj9N1M FHodeukkhZGpge8teMzG2zc9TJCjzMji+6KCaGF81DZdV6StlcqORhINQ4uQjbmc8vco TjK91z8PkXrFbRk1vdkCD5WKK6krFwmTdVA0wTPdFmhQ9BFoHPYiofHEVgNBJZi0CYJz Lvrg== Content-Disposition: inline In-Reply-To: Sender: linux-kernel-owner@vger.kernel.org List-ID: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Jann Horn Cc: Daniel Colascione , Oleg Nesterov , Al Viro , Linus Torvalds , linux-kernel , Arnd Bergmann , David Howells , Andrew Morton , Aleksa Sarai , "Eric W. Biederman" , Elena Reshetova , Kees Cook , Andy Lutomirski , Andy Lutomirski , Thomas Gleixner , linux-alpha@vger.kernel.org, linux-arm-kernel@lists.infradead.org, linux-ia64@vger.kernel.org, linux-m68k@lists.linux-m68k.org, linux-mips@vger.kernel.org, linux-parisc@vger.kern On Thu, May 16, 2019 at 04:03:27PM +0200, Jann Horn wrote: > On Thu, May 16, 2019 at 3:08 PM Christian Brauner wrote: > > On Wed, May 15, 2019 at 10:45:06AM -0700, Daniel Colascione wrote: > > > On Wed, May 15, 2019 at 3:04 AM Christian Brauner wrote: > > > > > > > > This adds the pidfd_open() syscall. It allows a caller to retrieve pollable > > > > pidfds for a process which did not get created via CLONE_PIDFD, i.e. for a > > > > process that is created via traditional fork()/clone() calls that is only > > > > referenced by a PID: > [...] > > > > +/** > > > > + * pidfd_open() - Open new pid file descriptor. > > > > + * > > > > + * @pid: pid for which to retrieve a pidfd > > > > + * @flags: flags to pass > > > > + * > > > > + * This creates a new pid file descriptor with the O_CLOEXEC flag set for > > > > + * the process identified by @pid. Currently, the process identified by > > > > + * @pid must be a thread-group leader. This restriction currently exists > > > > + * for all aspects of pidfds including pidfd creation (CLONE_PIDFD cannot > > > > + * be used with CLONE_THREAD) and pidfd polling (only supports thread group > > > > + * leaders). > > > > + * > > > > + * Return: On success, a cloexec pidfd is returned. > > > > + * On error, a negative errno number will be returned. > > > > + */ > > > > +SYSCALL_DEFINE2(pidfd_open, pid_t, pid, unsigned int, flags) > > > > +{ > [...] > > > > + if (pid <= 0) > > > > + return -EINVAL; > > > > > > WDYT of defining pid == 0 to mean "open myself"? > > > > I'm torn. It be a nice shortcut of course but pid being 0 is usually an > > indicator for child processes. So unless the getpid() before > > pidfd_open() is an issue I'd say let's leave it as is. If you really > > want the shortcut might -1 be better? > > Joining the bikeshed painting club: Please don't allow either 0 or -1 > as shortcut for "self". James Forshaw found an Android security bug a > while back (https://bugs.chromium.org/p/project-zero/issues/detail?id=727) > that passed a PID to getpidcon(), except that the PID was 0 > (placeholder for oneway binder transactions), and then the service > thought it was talking to itself. You could pick some other number and > provide a #define for that, but I think pidfd_open(getpid(), ...) > makes more sense. Yes, I agree. I left it as is for v1, i.e. no shortcut; getpid() should do. Christian